Difference between revisions of "PSWEpisode632"

From Paul's Security Weekly
Jump to: navigation, search
(Security History - Lessons from the past)
(Description)
Line 24: Line 24:
 
<!-- <center>{{#ev:youtube|iPHM80z9D9k}}</center>-->
 
<!-- <center>{{#ev:youtube|iPHM80z9D9k}}</center>-->
 
== Description ==
 
== Description ==
 +
 +
It was once said that if Security and Compliance were in a relationship the status would be "It's Complicated". This discussion will aim to help you understand this relationship and how it can be beneficial or a mere distraction to an organization's overall security posture.
 +
 +
# Define "Secure" and "Compliant".
 +
# Does compliance merely raise awareness about security shortcomings?
 +
# What is the relationship between Security and Compliance?
 +
# Being Secure and being Compliant are mere points in time, how can we best develop a process to ensure we are always striving to a secure and compliant state?
 +
# How does Security impact and/or influence Compliance?
 +
# How does Compliance impact and/or influence Security?
 +
# How do you balance these extremes: "We will be Secure and ignore compliance" vs. "We will be compliant but ignore security"
 +
 
== Guests ==
 
== Guests ==
 
== Hosts ==
 
== Hosts ==

Revision as of 20:19, 3 December 2019

Recorded December 19, 2019 at G-Unit Studios in Rhode Island!

Episode Audio



DevOps and Securing Applications

Description

Guests

Hosts

Resources

Security vs. Compliance

Description

It was once said that if Security and Compliance were in a relationship the status would be "It's Complicated". This discussion will aim to help you understand this relationship and how it can be beneficial or a mere distraction to an organization's overall security posture.

  1. Define "Secure" and "Compliant".
  2. Does compliance merely raise awareness about security shortcomings?
  3. What is the relationship between Security and Compliance?
  4. Being Secure and being Compliant are mere points in time, how can we best develop a process to ensure we are always striving to a secure and compliant state?
  5. How does Security impact and/or influence Compliance?
  6. How does Compliance impact and/or influence Security?
  7. How do you balance these extremes: "We will be Secure and ignore compliance" vs. "We will be compliant but ignore security"

Guests

Hosts

Resources

Security History - Lessons from the past

The history of security can be traced back to a variety of different sources. The amount of articles on the topic is dizzying. Most will cite names of early phone phreaks, Kevin Mitnick, Kevin Poulsen, Steve Jobs, Steve Wozniak and quickly transition to many other more recent "hacks" or breaches. Our goal is to not review the history of hacking. This is the history of security. We've carefully chosen key events and research to discuss the very beginnings of security, and their impact and lessons for today's ever-evolving security landscape.

Description

  1. 1939-1940 - Breaking the Enigma cipher - BOMBE was the name of an electro-mechanical machine, developed during WWII by Alan Turing and Gordon Welchman, whilst working as codebreakers at Bletchley Park. It was used to help breaking the German Enigma codes and was (partly) based on the so-called BOMBA, an earlier machine developed by Polish mathematicians in 1938. From 1943 onwards, an improved version of the British BOMBE was built in the US by the US Navy and — independently — by the US Army.
  2. 1966 - The World's First Computer Password? It Was Useless Too - Fernando Corbató implements passwords on CTSS on an IBM 7090. CTSS may also have been the first system to experience a data breach. One day in 1966, a software bug jumbled up the system's welcome message and its master password file so that anyone who logged in was presented with the entire list of CTSS passwords. But that's not the good story. Twenty-five years after the fact, Allan Scherr, a Ph.D. researcher at MIT in the early '60s, came clean about the earliest documented case of password theft. In the spring of 1962, Scherr was looking for a way to bump up his usage time on CTSS. He had been allotted four hours per week, but it wasn't nearly enough time to run the detailed performance simulations he'd designed for the new computer system. So he simply printed out all of the passwords stored on the system.
  3. 1969 - RABBITS Was Probably The First Computer Virus: 1969 - The first computer virus in history may have been a program called RABBITS. Nobody knows who made it, and nobody knows why, but whoever it was brought the University of Washington Computer Center down. It was a tiny, inconspicuous program that made copies of itself—breeding, as its name suggested, like rabbits. In 1969, someone installed it onto a computer at the university and let it run. The program made two copies of itself, and then each of those copies made copies until the computer overloaded and stopped working.
  4. 1971 - Creeper and Reaper - Creeper was an experimental computer program written by Bob Thomas at BBN in 1971.[2] Its original iteration was designed to move between DEC PDP-10 mainframe computers running the TENEX operating system using the ARPANET, with a later version by Ray Tomlinson designed to copy itself between computers rather than simply move.[3] This self-replicating version of Creeper is generally accepted to be the first computer worm. The program was not actively malicious software as it caused no damage to data, the only effect being a message it output to the teletype reading "I'm the creeper: catch me if you can". Reaper (program) was a similar program created by Ray Tomlinson to move across the ARPANET and delete the self-replicating Creeper.
  5. 1973 - Oral History of Robert Metcalfe - What had happened was a couple of high school students hacked into the Arpanet through one of the early TIPs. A TIP [Terminal IMP] was a way to dial into a Telnet program so you could then log in to any of the computers on the Arpanet. Imagine that! And some high school students, as I recall they were probably in Los Angeles around UCLA, somewhere like that, managed to find out the phone number. No one was keeping it a secret. Acoustically coupled modems were the big thing in those days, and so these high school kids got into some of the computers and did some mischief. They caught my attention, so I wrote this 602 RFC saying “Look out! Trouble!”
    1. RFC 602 The Stockings Were Hung by the Chimney with Care - Individual sites, used to physical limitations on machine access, have not yet taken sufficient precautions toward securing their systems against unauthorized remote use. For example, many people still use passwords which are easy to guess: their fist names, their initials, their host name spelled backwards, a string of characters which are easy to type in sequence (e.g. ZXCVBNM).
  6. 1986 - A Brief History of Cyber Crime - In 1986 the systems administrator at the Lawrence Berkeley National Laboratory, Clifford Stoll, noted certain irregularities in accounting data. Inventing the first digital forensic techniques, he determined that an unauthorized user was hacking into his computer network. Stoll used what is called a “honey pot tactic,” which lures a hacker back into a network until enough data can be collected to track the intrusion to its source. Stoll’s effort paid off with the eventual arrest of Markus Hess and a number of others located in West Germany, who were stealing and selling military information, passwords and other data to the KGB.
  7. 1988 - THE HISTORY OF CYBERSECURITY - a man named Robert Morris had an idea: he wanted to gauge the size of the internet. To do this, he wrote a program designed to propagate across networks, infiltrate Unix terminals using a known bug, and then copy itself. This last instruction proved to be a mistake. The Morris worm replicated so aggressively that the early internet slowed to a crawl, causing untold damage. The worm had effects that lasted beyond an internet slowdown. For one thing, Robert Morris became the first person successfully charged under the Computer Fraud and Abuse Act (although this ended happily for him – he’s currently a tenured professor at MIT). More importantly, this act also led to the formation of the Computer Emergency Response Team (the precursor to US-CERT), which functions as a nonprofit research center for systemic issues that might affect the internet as a whole. Morris Worm
  8. 1987 -History Of Antivirus - At the end of 1987 there was big movement in the antivirus industry, with the founding of the, now world famous, McAfee company (now owned by Intel) and the creation of first set of antivirus products. G Data Software was reportedly the first to market that year with ‘Ultimate Virus Killer 2000’, shortly followed by McAfee’s ‘Virus Scan’.
  9. 1984-1986 - The History and Evolution of Intrusion Detection - Between 1984 and 1986, Dorothy Denning and Peter Neumann researched and developed the first model of a real-time IDS. This prototype was named the Intrusion Detection Expert System (IDES). This IDES was initially a rule-based expert system trained to detect known malicious activity. This same system has been refined and enhanced to form what is known today as the Next-Generation Intrusion Detection Expert System (NIDES)
  10. 1980-1994 - Who Invented The Firewall? - William Cheswick and Steven Bellovin, who literally wrote the book on firewalls in 1994 while at AT&T Bell Labs, say they didn't invent the firewall, either -- they built a circuit-level gateway and packet filtering technology. Most security experts trace the firewall's roots, back to work done at Digital Equipment Corp. in the late 1980s by Jeff Mogul, Brian Reid, and Paul Vixie, starting with the gatekeeper.dec.com gateway, as well as to Mogul's "screend" technology. DEC SEAL, which was shipped in 1992, was the first commercial firewall and included proxies developed by Ranum. "DEC SEAL was interesting because it had a part number and a manual and a corporation behind it," Ranum says.

Guests

Hosts

Resources